Instructions for connecting a workstation or device to the Incisive inCLOUD network

Step 1. Choose to use either Watchguard Authpoint app or a Watchguard passcode generator, so Incisive can enable your MFA authentication access.

Step 2. Create a RemoteApp connection to the Incisive inCLOUD servers.

• from a Windows workstation
• from an Apple Macbook or iPad tablet

Step 3. Download and install TSPrint & TSscan client applications to your workstation/device to improve your printing & scanning experience.

• Installing TSPrint and TSScan client applications

Step 4. (optional) Link to the 'Incisive Files' online storage location to make it easier to upload/download information.

• For Windows
  • Request the script from the Incisive Helpdesk 
  • Open 'Windows Powershell' on your PC (Windows) and paste the contents of the script into Powershell
  • Press Enter to execute the command.  Close the window when it has completed)
    (you should now see am 'Incisive Files P:' in Windows Explorer)
• For Apple, request assistance from the Incisive Helpdesk

Troubleshooting

The RemoteApp shortcut can be linked to a User profile which can cause problems if different people log on and use the same workstation.

Options to remediate this or provide a workaround are:

1. Use the browser to connect to https://secure.incloud.clinic/rdweb and log in using an inCLOUD login that you can authenticate.
2. Remove the 'Remember Me' options for the logins so that you are prompted each time for an inCLOUD login and password.
3. Use inCLOUD logins that are only used for a particular workstation/laptop
4. Configure Control Panel > Remote App connections for each Windows login that is going to use the workstation.
   This option should allow the User's profile to connect to an inCLOUD login that may have been allocated to a person, not a workstation.

Problem:

When the Powershell script is run on the local computer, to add the P: mapped drive and credentials, it all completes correctly but the mapped drive may not be visible in Explorer, to the end-user.

Diagnose:

It's likely that the Powershell script was run in Administrator mode, not in the User context.

Open the command prompt as Administrator and change to the mapped drive.  If it appears when using the elevated Administrator prompt only then the following will fix the problem.

Solution:

Option 1.

Re-run the powershell script but do not elevate it to Run As Administrator.

Option 2.

1. 1. In Registry Editor, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
   2. Right-click Configuration, select New, and then select DWORD (32-bit) Value.
   3. Name the new registry entry as EnableLinkedConnections.
   4. Double-click the EnableLinkedConnections registry entry.
   5. In the Edit DWORD Value dialog box, type 1 in the Value data field, and then select OK.
   6. Exit Registry Editor, and then restart the computer

Microsoft are progressively enforcing the use of Multi-Factor-Authentication (MFA), which means you will need to use an Authenticator app to allow emails to be imported into the Message Centre, for your @incloud.clinic email address. Incisive only allow @incloud.clinic email accounts to import emails because they are protected from spam and viruses, by Microsoft Defender for Office365.

If the following message box appears, it means you need to use MFA to authenticate the login

The steps to implement MFA for the email account are straight-forward and once initiated, you'll only need to authenticate the account every 12 months.

We recommend that the MFA should be installed and managed by the practice or hospital manager.

1. If you don't already have the free Microsoft Authenticator app, download and install it on a phone.
   Use your phone camera to scan the following QR code for:
   

   Apple App Store

   Google Play Store

   
   If you have an older phone you may be prompted to download and install an earlier version of the Microsoft Authenticator app.
   
   You can use an alternate authenticator app, but you will need to complete the configuration yourself.
   
   
2. Start the Message Centre and proceed through the prompts, until you get to the message saying 'Scan the QR code'.
   
   
   
3. When prompted, open the Microsoft Authenticator app, click on the + symbol in the top right corner and then select the 'Scan QR code' option.  Point it at the QR code on the screen and it will add the necessary security tokens.
   
   
   
4. Your @incloud.clinic email account has now been added to the app.
   
   
   
5. When you start the Message Centre a prompt may appear asking if you want to use the Authenticator app.  You will also receive a notification on the phone.  Open the notification and approve the authentication request.
   

Incisive inCLOUD is including another layer of security, to protect your information even further.

New servers have been added to the computing farm, which are configured to require ‘Multi-Factor Authentication’ (MFA or 2FA) to allow a remote connection to be established. This does mean there is an additional step in the process to log on, but it is a very effective barrier to unwanted cyber-intruders.

All new users of Incisive inCLOUD are using the MFA system and we are also requiring all existing customers to also upgrade the method they use to connect.

The authentication levels used to secure the Incisive inCLOUD system are:

1. inCLOUD network connection using your usual login e.g. incloud\mypractice01
2. Passcode input, generated from the Authpoint app or hardware fob (new step)
3. Incisive application login

In addition, only connections from New Zealand based IP addresses (your router’s internet address) are permitted, without needing to use a separate VPN connection.

The passcode is generated either from an app on your phone or a special hardware generator. These create a one-time passcode which you input during the connection process. This method of Multi-Factor Authentication is now used in all public hospitals, after the malware attack on the Waikato DHB last year.

There are several key reasons we have chosen to include MFA:

• CertNZ recommends MFA/2FA protection as an important security step;
• the Privacy Act requires health agencies to take ‘reasonable security safeguards’ to protect health information;
• the National Cyber Security Centre’s advisory for the increased threat of targeted cyber intrusion because of military actions between Ukraine and Russia.

Frequently asked questions.

What will change for us?

1. The icon that you use to connect to the Incisive inCLOUD will need to be modified so it points to the new system (secure.incloud.clinic instead of incisive.incloud.clinic).  This needs to occur on each computer that connects to Incisive inCLOUD.
2. You will need the Watchguard Authpoint app installed on a mobile phone or have a hardware passcode generator, so that you can use either, each time you connect to the Incisive inCLOUD.

How does the MFA work?

During the process to connect to Incisive inCLOUD, a screen will appear prompting whether you want to use the 'Push' or 'One-Time-Passcode' option. If the Push option is used a notification will appear, which can be 'Approved', or if the Passcode option is used, the number can be entered from either the Authpoint app or Hardware token generator. The Incisive application will then continue to start.

See the Multi Factor Authentication (MFA) training videos.

• Installing and configuring the Authpoint app (53 seconds)
• Authenticating using the Push notification (62 seconds)
• Authenticating by entering a Passcode (62 seconds)

What happens if I don't have my phone?

We recommend that you have access to both the Watchguard passcode generator and also the Authpoint app, so there are alternative methods of generating the passcode. If neither are available, there is a ‘Forgot Token’ option where we need to be involved to allow access for a limited time.

The Incisive inTOUCH mobile app can also be used to access your clinic or operating lists and view the patient’s records.

We are a large practice/hospital and different staff frequently use the same computer.

There is no change with how you currently use Incisive inCLOUD except that the first person who logs on will need to enter a Passcode from either the Authpoint app or the Watchguard passcode generator.

Is each staff member going to need the Authpoint app on their phone?

The Passcode that is generated is linked to an individual Incisive inCLOUD login. This means that for each login there will need to be either a specific hardware passcode generator or an Authpoint app token. It is possible (but not very practical) to have the Authpoint app on a single ‘Practice’ based phone, which has the ability to remotely ‘Approve’ a connection or issue a One-Time Passcode (OTP) for multiple logins.

If the user is accessing Incisive inCLOUD from different locations (such as the specialist) then they should always use the Authpoint app on their own phone.

Are there charges?

The MFA technology is provided through an internationally respected company which does charge for its products and services. There will be changes to our fees to cover their costs and the hardware token generator can be purchased separately. Given the severe disruption that can occur from cyber-attacks, security costs are now regarded as an expected overhead of doing business.

Everyone using Incisive inCLOUD will need to upgrade to the same level of high security.

I use an Apple Mac. Do I need to use MFA?

Yes.

Is the change going to disrupt the running of our practice/hospital?

All the preparation can be completed in the background while you continue to use the existing connection method. When you are ready to start using MFA, you just start using a different shortcut icon. Everything will continue to function as it is now. The connection process will take slightly longer.

When is the change going to occur and what do we need to do?

The process to migrate existing Incisive inCLOUD users to use secure.incisive.incloud, has already started. We will shortly be inviting you to be involved as we expect that everyone will be migrated before the end of the year. We will work with you to ensure the timing works well for you.

You will need to:

• decide how many Watchguard hardware fobs you want;
• download and install the Watchguard Authpoint app, for the mobile users; and
• provide an email address for each connection.

What are the options if I don't want to use MFA?

Because the database that you use for your records, is the same for any Windows operating system, we can remove your records from the Incisive inCLOUD system so you can have them on your own on-site server.

Are any other security changes going to occur?

The Windows tsclient link to your computer’s drives will eventually be disabled and is replaced with the ‘Incisive Files’ drive that has been provided to assist with easy upload and download of files/photos to and from the Incisive inCLOUD system. This allows us to virus-scan the files being uploaded and close another possible intrusion point from your computer.

The operating system for the servers is being upgraded to Windows Server 2022, which has significant improvements in the detection and protection against malware attempts.

Is MFA going to make my information completely secure?

As I'm sure you have experienced, the cyber-security requirements are in a state of constant change. Protection is almost always a patching exercise to cover the holes that have previously been exposed by those wanting to get to your information or use you as a spring-board into someone else’s system.

100% protection would mean that the Incisive inCLOUD system would have to be so locked down that remote access from your own computers or devices, would be virtually impossible to use and very expensive to implement. To provide a system that is workable for you, there is always a degree of compromise between accessibility and protection. Which is why we have backups and fail-over functions.

If you have any questions please get in touch with us at help@incisivesupport.com 

To start using the Multi-Factor Authentication function with Incisive inCLOUD, you need to:

1. Provide us with a unique email address for each login to Incisive inCLOUD and indicate whether you want to authenticate using an app on your phone or use a hardware fob
   If you haven't already completed this step, you can use the template in this link to help you list your requirements, then send it back to us.
   
   
2. An email will be sent to the email addresses, from wgcloud-no-reply@jpn.cloud.watchguard.com, with information on how to install and Activate the Watchguard Authpoint app.  The app needs to be activated on your phone within 7 days of receiving the email.  The activation process can occur from your computer or the app on your phone.